Verify trivy installation

anthony-nhs · anthony-nhs · commit e2f228dd72b5 · 2026-03-21T10:34:51.000Z
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,3 +1,20 @@
+FROM golang:1.26.1-bookworm AS build
+ARG TARGETARCH
+RUN apt-get update && apt-get install -y \
+    jq \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh
+COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh
+RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh
+RUN case "${TARGETARCH}" in \
+        x86_64|amd64) TRIVY_ARCH=64bit ;; \
+        aarch64|arm64) TRIVY_ARCH=ARM64 ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+    && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh
+
+
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 ARG TARGETARCH
 ENV TARGETARCH=${TARGETARCH}
@@ -64,11 +81,13 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \
     chmod 755 /usr/share/secrets-scanner && \
     curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
 
+COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy
+
 USER vscode
 
-ENV PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"
+ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"
 RUN \
-    echo 'PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \
+    echo 'PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \
     echo '. <(asdf completion bash)' >> ~/.bashrc; \
     echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc; \
     echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc; \
@@ -83,8 +102,7 @@ RUN asdf plugin add python; \
     asdf plugin add actionlint; \
     asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \
     asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \
-    asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git
-
+    asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git;
 
 WORKDIR /workspaces/eps-devcontainers
 COPY .tool-versions /workspaces/eps-devcontainers/.tool-versions
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -12,7 +12,8 @@
       "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
       "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
       "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
-      "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
+      "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind",
+      "source=${env:HOME}${env:USERPROFILE}/.gitconfig,target=/home/vscode/.gitconfig,type=bind"
     ],
     "runArgs": [
       "--network=host"
diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml
@@ -33,6 +33,7 @@ jobs:
             echo "node_24_languages=$node_24_language_folders"
             echo "projects=$project_folders"
           } >> "$GITHUB_OUTPUT"
+
   package_base_docker_image:
     uses: ./.github/workflows/build_multi_arch_image.yml
     with:
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -64,9 +64,10 @@ jobs:
         with:
           fetch-depth: 0
       - name: setup trivy
-        uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514
-        with:
-          version: v0.69.3
+        run: |
+           docker build  --output=/usr/local/bin/ -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" .
+        env:
+          ARCH: '${{ matrix.arch }}'
       - name: setup node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ac2707dd9cd60ad127275179495b9c890d74711
     needs:
       - get_asdf_version
     with:
@@ -32,7 +32,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@5ac2707dd9cd60ad127275179495b9c890d74711
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -9,7 +9,7 @@ jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0
+      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ac2707dd9cd60ad127275179495b9c890d74711
     secrets:
       AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}'
       AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}'
@@ -32,7 +32,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ac2707dd9cd60ad127275179495b9c890d74711
     needs:
       - get_asdf_version
     with:
@@ -41,7 +41,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   pr_title_format_check:
     uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0
+      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ac2707dd9cd60ad127275179495b9c890d74711
   get_issue_number:
     runs-on: ubuntu-22.04
     needs: quality_checks
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,7 +24,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ac2707dd9cd60ad127275179495b9c890d74711
     needs:
       - get_asdf_version
     with:
@@ -33,7 +33,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@5ac2707dd9cd60ad127275179495b9c890d74711
     with:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@ src/base/.devcontainer/language_versions/
 .trivyignore_combined.yaml
 .out/
 .envrc
+.trivy_out/
diff --git a/.tool-versions b/.tool-versions
@@ -5,5 +5,4 @@ shellcheck 0.11.0
 direnv 2.37.1
 actionlint 1.7.10
 ruby 3.3.0
-trivy 0.69.3
 yq 4.52.2
diff --git a/Makefile b/Makefile
@@ -10,6 +10,9 @@ guard-%:
 		exit 1; \
 	fi
 
+.PHONY: install install-python install-node install-hooks build-base-image build-node-24-image build-node-24-python-3-10-image build-node-24-python-3-12-image build-node-24-python-3-13-image build-node-24-python-3-14-image \
+	build-eps-storage-terraform-image build-fhir-facade-image build-node-24-python-3-14-golang-1-24-image build-node-24-python-3-14-java-24-image \
+	build-regression-tests-image build-all build-image build-githubactions-image scan-image scan-image-json shell-image lint test lint-githubactions lint-githubaction-scripts github-login clean
 install: install-python install-node install-hooks
 
 install-python:
@@ -129,13 +132,9 @@ test:
 lint-githubactions:
 	actionlint
 
-github-login:
-	gh auth login --scopes read:packages
-
 lint-githubaction-scripts:
 	shellcheck .github/scripts/*.sh
 
 clean:
 	rm -rf .out
 	find . -type f -name '.trivyignore_combined.yaml' -delete
-	
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -9,6 +9,6 @@
   "license": "ISC",
   "description": "",
   "dependencies": {
-    "@devcontainers/cli": "^0.84.0"
+    "@devcontainers/cli": "^0.84.1"
   }
 }
diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions
@@ -2,5 +2,4 @@ shellcheck 0.11.0
 direnv 2.37.1
 actionlint 1.7.11
 ruby 3.3.0
-trivy 0.69.3
 yq 4.52.4
diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile
@@ -1,3 +1,19 @@
+FROM golang:1.26.1-bookworm AS build
+ARG TARGETARCH
+RUN apt-get update && apt-get install -y \
+    jq \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+COPY scripts/install_cosign.sh /tmp/install_cosign.sh
+COPY scripts/install_trivy.sh /tmp/install_trivy.sh
+RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh
+RUN case "${TARGETARCH}" in \
+        x86_64|amd64) TRIVY_ARCH=64bit ;; \
+        aarch64|arm64) TRIVY_ARCH=ARM64 ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+    && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh
+
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 
 ARG SCRIPTS_DIR=/usr/local/share/eps
@@ -16,6 +32,8 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./root_install.sh
 
+COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy
+
 COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh
 USER vscode
 COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf
diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64
@@ -0,0 +1,13 @@
+FROM golang:1.26.1-bookworm AS build
+RUN apt-get update && apt-get install -y \
+    jq \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh
+COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh
+RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh
+RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh
+
+FROM scratch
+COPY --from=build /tmp/trivy/trivy /
+ENTRYPOINT ["/trivy"]
diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64
@@ -0,0 +1,13 @@
+FROM golang:1.26.1-bookworm AS build
+RUN apt-get update && apt-get install -y \
+    jq \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+COPY scripts/install_cosign.sh /tmp/install_cosign.sh
+COPY scripts/install_trivy.sh /tmp/install_trivy.sh
+RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh
+RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh
+
+FROM scratch
+COPY --from=build /tmp/trivy/trivy /
+ENTRYPOINT ["/trivy"]
diff --git a/src/base/.devcontainer/scripts/install_cosign.sh b/src/base/.devcontainer/scripts/install_cosign.sh
@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DEFAULT_INSTALL_DIR="/usr/local/bin"
+INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}"
+REQUESTED_VERSION="${1:-latest}"
+OS="$(uname -s)"
+ARCH="$(uname -m)"
+API_URL="https://api.github.com/repos/sigstore/cosign/releases"
+
+usage() {
+  cat <<'EOF'
+Usage: install_cosign.sh [version]
+
+Downloads the requested cosign release (default: latest) for Linux amd64, verifies
+its signature, and installs it into $INSTALL_DIR (override via INSTALL_DIR env var).
+EOF
+}
+
+if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
+  usage
+  exit 0
+fi
+
+if [[ "$OS" != "Linux" ]]; then
+  echo "Error: This installer currently supports Linux only" >&2
+  exit 1
+fi
+
+case "$ARCH" in
+  x86_64|amd64)
+    BINARY_NAME="cosign-linux-amd64"
+    ;;
+  aarch64|arm64)
+    BINARY_NAME="cosign-linux-arm64"
+    ;;
+  *)
+    echo "Error: Unsupported architecture $ARCH" >&2
+    exit 1
+    ;;
+esac
+
+for cmd in curl openssl install go jq; do
+  if ! command -v "$cmd" >/dev/null 2>&1; then
+    echo "Error: $cmd is required but not found in PATH" >&2
+    exit 1
+  fi
+done
+
+get_latest_tag() {
+  local response
+  response="$(curl -fsSL "$API_URL/latest")"
+  awk -F'"' '/tag_name/ {print $4; exit}' <<<"$response"
+}
+
+VERSION="$REQUESTED_VERSION"
+if [[ "$VERSION" == "latest" ]]; then
+  VERSION="$(get_latest_tag)"
+fi
+
+if [[ -z "$VERSION" ]]; then
+  echo "Error: Unable to determine cosign version" >&2
+  exit 1
+fi
+
+BASE_URL="https://github.com/sigstore/cosign/releases/download/${VERSION}"
+TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "$TMP_DIR"' EXIT
+
+download() {
+  local url="${1}" dest="${2}"
+  echo "Downloading ${dest} ..."
+  curl -fsSL "${url}" -o "${dest}"
+}
+
+BIN_PATH="$TMP_DIR/${BINARY_NAME}"
+SIGSTORE_PATH="$TMP_DIR/${BINARY_NAME}-kms.sigstore.json"
+ARTIFACT_PATH="$TMP_DIR/artifact.pub"
+DECODED_SIGSTORE_PATH="$TMP_DIR/cosign-kms.sig.decoded"
+
+download "${BASE_URL}/${BINARY_NAME}" "$BIN_PATH"
+download "${BASE_URL}/${BINARY_NAME}-kms.sigstore.json" "$SIGSTORE_PATH"
+
+# install tuf-client
+go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest
+
+# setup tuf-client
+SIGSTORE_ROOT_PATH="$TMP_DIR/sigstore-root.json"
+curl -o "$SIGSTORE_ROOT_PATH" https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json
+tuf-client init https://tuf-repo-cdn.sigstore.dev "$SIGSTORE_ROOT_PATH"
+
+tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > "$ARTIFACT_PATH"
+
+cat "$SIGSTORE_PATH" | jq -r .messageSignature.signature | base64 -d > "$DECODED_SIGSTORE_PATH"
+pushd "$TMP_DIR" >/dev/null
+echo "verifying signature with artifact.pub"
+openssl dgst -sha256 -verify "$ARTIFACT_PATH" -signature "$DECODED_SIGSTORE_PATH" "$BIN_PATH"
+popd >/dev/null
+
+echo "verifying signature with cosign verify-blob"
+chmod +x "$BIN_PATH"
+${BIN_PATH} verify-blob --bundle "${SIGSTORE_PATH}" --key "$ARTIFACT_PATH" "$BIN_PATH"
+
+mkdir -p "$INSTALL_DIR"
+install -m 0755 "$BIN_PATH" "${INSTALL_DIR}/cosign"
+
+"${INSTALL_DIR}/cosign" version
+
+echo "cosign ${VERSION} installed to ${INSTALL_DIR}"
diff --git a/src/base/.devcontainer/scripts/install_trivy.sh b/src/base/.devcontainer/scripts/install_trivy.sh
diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml
diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml
diff --git a/src/projects/regression_tests/.devcontainer/.tool-versions b/src/projects/regression_tests/.devcontainer/.tool-versions
diff --git a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
